WELCOME 1
The AML Risk Conundrum What Does AML Risk Really Mean? BSA Coalition Training Event November 17, 2016 2
Opening Remarks: Amanda Tucker, BSA Coalition Board Member Executive Vice President I Chief Risk Officer Old Dominion National Bank 3
Melinda Lytle, Moderator Financial Examiner and BSA Specialist, NC Office of the Commissioner of Banks Debra D Arrigo, Panelist Director, AML Compliance, Capital One Lisa G. Varner, Panelist Senior Risk Management Officer and Senior Vice President, United Bankshares, Inc. 4
The views and opinions expressed here are those of the speakers. They do not represent an official position of the Federal Reserve Bank of Richmond or the Federal Reserve System. 5
Panel Objectives List and understand the challenges of implementing and documenting risk-based BSA/AML compliance programs Describe or implement ways to improve communication across business lines within your organizations Develop communication strategies with law enforcement and your regulators to ensure understanding of BSA/AML risk at your organization 6
Welcome and Introduction of Speakers The Definition of Risk - The Conundrum The Challenges of Risk-Based Compliance Programs Risk AssessmentConsiderations Best Practices for Communicating Risk Conclusions Question and Answer Session Closing Remarks Tucker, Amanda Varner, Lisa/Melinda Lytle Lisa Varner, Debra D Arrigo Varner/D Arrigo/Lytle Varner/D Arrigo Varner/Lytle/D Arrigo Varner/Lytle/D Arrigo Tucker, Amanda 7
The Definition of Risk - The Conundrum 8
A technical definition of AML risk: The risk to the institution of regulatory sanctions fines penalties or losses resulting from the facilitation of money laundering or terrorist financing 9
A regulator s perspective of AML risk: Managing risks is fundamental to banking Failure to establish a risk management structure is considered unsafe and unsound 10-1
What is risk? Exposure to the chance of loss, or injury, or dangerous hazardous chance. Page 10-2
The components of risk evaluation: Threats Vulnerabilities Consequences Page 10-3
What are threats? A person or group or object or activity that has potential to cause harm Criminals, terrorist groups, their facilitators and their funds Identifying threats is where understanding risk begins Page 10-4
What are Vulnerabilities? ations Those things that can be exploited by the threat or support or facilitate the activity Evaluate vulnerabilities distinct from threats by focusing on those factors that present weaknesses in your AML systems and controls. Also focus on certain features of your products/services that make them attractive for AML purposes Page 10-5
What are Consequences? Impact or harm financial crimes can cause Risks to the financial system Risks to your institution Impacts your community, your business environment and your reputation Page 10-6
So, what s the conundrum? AML Program definition of risk based is Very broad, inherently subjective in nature Risk is a function of three factors: Threat, Vulnerability, & Consequences Making judgments and everyone defines risk differently: Regulators, Law Enforcement, LOB, Management and Board Misunderstanding may lead to faulty controls or risk mitigants Mitigants can be difficult to operationalize Make sure to bridge the gap and require robust onboarding 11
The Challenges of Risk-Based Compliance Programs 12
Common Challenges of Risk-Based Compliance Programs Deciding the best way to measure and monitor risk in your institution Getting your partners on the same page about risk Implementing controls Communicating risk effectively - to your regulators, your business partners and law enforcement 13
Challenges of Risk-Based Compliance Programs Small Bank Perspective How do we get to risk-based if we don t understand our risk? AML risk can be viewed from multiple perspectives and sources q Reputational, operational q Products, customers, geography Proactively engage our business lines, our regulators, and our local law enforcement 14
Challenges of Risk-Based Compliance Programs Small Bank Perspective Business line challenges q Getting the LOB to understand AML risk Regulatory challenges q Getting regulators on board with your AML risk evaluation q Ask for their input Law enforcement challenges q Getting the right LE officer/agent who will provide information to help build your risk profile 15
Challenges of Risk-Based Compliance Programs Large Bank Perspective Defining how to measure, monitor, control and ultimately report on risk q Systems used, tools, defining roles and responsibilities q Scope and timing of reporting, policies and procedures Aligning with internal and external constituents on a common definition of risk q Ensuring a mutual understanding exists about the quantity of risk exposure Implementing commensurate controls to mitigate risk q Systemic or manual q Detective vs. preventive Communicating risk effectively to management, auditors, regulators and law enforcement 16
Risk Assessment Considerations 17
Risk Assessment Considerations Small Bank Perspective Working with your business lines Resources might be limited Methods to evaluate risk q Utilization of the FFIEC BSA/AML Examination Manual expanded sections and regulatory communications q Periodic meetings to gather and discuss those identified risks BSA Action Team discussions q Assess risk separately or together ML/TF q Looking at trends Key Risk Indicators 18
Risk Assessment Considerations Small Bank Perspective Preparing your written risk assessment Identifying specific risk categories, i.e. products, services, customers, entities, transactions and geographic locations Analysis, controls and risk rating Keeping your risk assessment updated 19
Risk Assessment Considerations Large Bank Perspective Customers Products The risk assessment provides a perfect opportunity to clearly define the inherent risks to be managed throughout the program Inherent Risk Services Transactions Channels Geographies Other Qualitative Factors Emerging Economic Sanctions 20
Risk Assessment Considerations Large Bank Perspective The risk assessment also provides context about the controls in place to mitigate the risk Internal Controls Pillar 1 - Designated Chief AML and Sanctions Officer Pillar 2 - Independent Testing and Oversight Pillar 3 - Training Pillar 4 - Internal Controls, further defined as: Policies and Procedures Politically Exposed Suspicious Activity Persons (PEP) Report (SAR) Filing Customer Identification Risk-Based Transaction Monitoring Program (CIP) Approach (RBA) Customer Due Diligence (CDD) Enhanced Due Diligence (EDD) MIS / Reporting Regulatory Specific Record Keeping and Retention Sanctions Monitoring 21
Risk Assessment Considerations Large Bank Perspective Measure Inherent Risk Assess Internal Controls Calculate Residual Risk The risk assessment measures risk and assesses controls to arrive at a residual risk rating 22
Risk Assessment Considerations Large Bank Perspective Results of the risk assessment should be documented in a formal report. Elements to consider when utilizing the report as a tool to communicate risk: q Broad distribution to all key stakeholders q Report should tell the risk story of the organization q Align with the functional organization but also consider legal entity nuances 23
Risk Assessment Considerations Large Bank Perspective Key elements of a comprehensive risk assessment q Identifies areas of heightened risk q Covers all risks (products, services, customers, entities, transactions, channels, geographies) q Considers forward-looking/emerging risks q Uses a formulaic approach to derive results q Aggregates and prioritizes risks q Provides enhanced risk reporting 24
Best Practices for Communicating Risk 25
Best Practices for Communicating Risk Small Bank Perspective With business lines: q q q Should be shared and communicated with all business lines across the bank as well as board of directors, management, and appropriate staff Organizational awareness, knowledge and understanding Document in a concise and organized manner q Importance of front line staff 26
Best Practices for Communicating Risk Small Bank Perspective With law enforcement: q q q Key in the fight against money laundering and terrorist financing Identifies significant relationships, patterns and trends Can help your institution protect itself 27
Best Practices for Communicating Risk Small Bank Perspective With regulators: Risk assessment is shared during the examination - recommendations from examiners are considered for incorporation into the assessment Ongoing communication of key risk issues through quarterly calls One-off phone calls with regulator about significant AML risk events 28
Best Practices for Communicating Risk Large Bank Perspective All aspects of the compliance management program can be leveraged to implement, document and communicate risk-based AML programs to ensure risks are well understood and managed within the risk tolerance of the organization 29
Best Practices for Communicating Risk Large Bank Perspective Governance, Risk Management, and Compliance (GRC) systems can be leveraged to communicate risk. GRC systems can provide comprehensive documentation of risks and requirements q Inventory of all laws & regulations (risks) to manage q Associate applicable risks to business areas q Demonstrate control coverage q GRC typically forms a basis for compliance monitoring and testing 30
Best Practices for Communicating Risk Large Bank Perspective Policy and Procedures (P&Ps) are another way to communicate risk. Enterprise P&Ps provide Program-level guidance Businesses should implement subordinate procedures q q q Clear articulation of roles and responsibilities Delineate risk takers vs. risk managers End-to-end coverage (onboarding through the account life cycle) 31
Best Practices for Communicating Risk Large Bank Perspective Management Information Systems (MIS) can facilitate management s ability to effectively measure, monitor, control and report on risk. Technology strategy should be prioritized to cover top risks and ensure: q Consistent and accurate customer data collection occurs 1 st Line Data Collection 2 nd Line Data Usage Internal/ External Reporting q q Data is available for use in downstream AML processes Meaningful management reporting can be produced 32
Best Practices for Communicating Risk Large Bank Perspective Reporting is a critical communication mechanism used to reach a broad group of constituents with a consistent message. Key elements of successful reporting q q q q q Audience is defined Level, extent and frequency of reporting is tailored to the audience Key Risk Indicators and Key Performance Indicators included Signal early warnings of adverse trends Overall state of compliance is reflected 33
Best Practices for Communicating Risk Large Bank Perspective Other Program components can be leveraged for communicating risk. Board and Senior Management oversight/escalation channels Auditors, regulators and law enforcement q Audit Proactive engagement q q Regulators Routine meetings; shared reporting; offer deep dive reviews; communicate organizational changes or material risk issues and controls breakdowns promptly Law enforcement FIU should have clear communication channels/established Points of Contact Compliance Monitoring and Testing plans 34
Best Practices for Communicating Risk Large Bank Perspective Training is a required Program pillar and is a key component to ensuring there is a mutual understanding of risk and controls. Key elements of an effective Training program: q Scope should be enterprise wide to include all personnel whose duties require knowledge of the BSA/AML requirements, including new hires q Content is tailored to the specific responsibilities of each area and target audience q Examples of money laundering activity and red flags are included q Attendance is documented and retained 35
Conclusions 36
How do you solve for the Conundrum? Strengthen relationships with business lines, regulators and law enforcement Understand risk through the risk assessment process Communication Education and training 37
How do you solve for the Conundrum? Here s your action list Ensure a clear definition and a mutual understanding of risk throughout the bank Implement controls Educate business lines, regulators and law enforcement about AML risk throughout the risk assessment process Ensure mutual understanding of BSA/AML risk between your bank, regulators and law enforcement 38
Questions? 39
Closing Remarks 40